An SLA-Based Approach for Network Anomaly Detection

  • Yasser Yasami
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 85)


The main drawback of Traditional signature-based intrusion detection systems – inability in detecting novel attacks lacking known signatures – makes anomaly detection systems a vibrant research area. In this paper an efficient learning algorithm that constructs learning models of normal network traffic behavior will be proposed. Behavior that deviates from the learned normal model signals possible novel attacks. The proposed technique is novel in application of stochastic learning automata in the problem of ARP-based network anomaly detection.


Anomaly Detection Stochastic Learning Automata (SLA) Address Resolution Protocol (ARP) 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Hwang, K., Liu, H., Chen, Y.: Cooperative Anomaly and Intrusion Detection for Alert Correlation in Networked Computing Systems. IEEE Trans. Dependable and Secure Computing (November 24, 2004)Google Scholar
  2. 2.
    Maselli, G., Deri, L.: Design and Implementation of an Anomaly Detection System: an Empirical Approach. In: Proc., Terena TNC 2003, Zagreb, Croatia (May 2003)Google Scholar
  3. 3.
    Hwang, K., Liu, H., Chen, Y.: Protecting Network-Centric Systems with Joint Anomaly and Intrusion Detection over Internet Episodes. In: IEEE IPDPS 2005, October 8 (2004)Google Scholar
  4. 4.
    Thottan, M., Ji, C.: Anomaly Detection in IP Networks. IEEE Trans. Signal Processing 51(8) (August 2003)Google Scholar
  5. 5.
    Duffield, N.G., Pretsi, F.L., Paxson, V., Towsley, D.: Inferring Link Loss Using Striped Unicast Probes. In: Proc. IEEE INFOCAM (2001)Google Scholar
  6. 6.
    Yasami, Y., Farahmand, M., Zargari, V.: An ARP-based Anomaly Detection Algorithm Using Hidden Markov Model in Enterprise Networks. In: Second Int’l Conf. on Systems and Networks Communication (ICSNC 2007), p. 69 (August 2007)Google Scholar
  7. 7.
    Ármannsson, D., Hjálmtýsson, G., Smith, P.D., Mathy, L.: Controlling the Effects of Anomalous ARP Behaviour on Ethernet Networks. In: Proc. ACM Conf. on Emerging Network Experiment and Technology, pp. 50–60 (2005)Google Scholar
  8. 8.
    Whyte, D., Kranakis, E., Van Oorschot, P.: ARP-Based Detection of Scanning Worms within an Enterprise Network. In: Proc. Computer Security Applications Conf. (ACSAC 2005), Tucson, AZ, December 5-9 (2005)Google Scholar
  9. 9.
    Farahmand, M., Azarfar, A., Jafari, A., Zargari, V.: A Multivariate Adaptive Method for Detecting ARP Anomaly in Local Area Networks. In: Int’l Conf. on Systems and Networks Communication (ICSNC 2006), pp. 53–59 (November 2006)Google Scholar
  10. 10.
    Summary Test Report Core Ethernet Switches Buffering and Control Plane Performance Comparison, Cisco Systems Catalyst 6500 vs. Foundry Networks BigIron 8000, MIER Communications Inc., July 12 (2000)Google Scholar
  11. 11.
    Joshi, S.S., Phoha, V.V.: Investigating Hidden Markov Models Capabilities in Anomaly Detection. In: 43rd ACM Southeast Conference, Kennesaw, GA, USA (March 2005)Google Scholar
  12. 12.
    Gaddam, S.R., Phoha, V.V., Balagani, K.S.: K-Means+ID3: A novel Method for Supervised Anomaly Detection by Cascading K-Means Clustering and ID3 Decision Tree Learnimg Methods. IEEE Transactions on Knowledge and Data Engineering 19(3) (March 2007)Google Scholar
  13. 13.
    Yasami, Y., Khorsandi, S., Pourmozaffari, S.: An Unsupervised Network Anomaly Detection Approach by K-Means Clustering & ID3 Algorithms. In: Proc. of 13th IEEE Symposium on Computers and Communications, ISCC 2008 (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Yasser Yasami
    • 1
  1. 1.Computer Engineering DepartmentPayam-e-Nour UniversityTehranIran

Personalised recommendations